@emarketeer/ts-microservice-commons 7.1.0-beta.21 → 7.1.0-beta.23

package/dist/cdk/cjs/index.js

@@ -2075,6 +2075,7 @@ class EmStack extends cdk.Stack {
             costCenter: props.costCenter,
             customTags: props.tags
         });
+        cdk.Tags.of(this).add('em-microservice', `${props.stage}-${props.serviceName}`);
         if (props.useSharedRole) {
             this.sharedRole = new awsIam.Role(this, 'LambdaExecutionRole', {
                 roleName: `${props.serviceName}-${props.stage}-${this.region}-lambdaRole`,
@@ -2088,6 +2089,44 @@ class EmStack extends cdk.Stack {
             overrideRoleLogicalId(this.sharedRole);
         }
     }
+    /**
+     * Update default function config after construction.
+     * Use this when defaults depend on resources created after `super()`.
+     * Environment is deep-merged with any existing defaults.
+     *
+     * @example
+     * ```typescript
+     * // After creating resources:
+     * this.setDefaultFunctionConfig({
+     *   environment: sharedEnvironment,
+     *   vpcConfig,
+     * })
+     * ```
+     */
+    setDefaultFunctionConfig(config) {
+        this.defaultFunctionConfig = {
+            ...this.defaultFunctionConfig,
+            ...config,
+            environment: {
+                ...(this.defaultFunctionConfig.environment ?? {}),
+                ...(config.environment ?? {})
+            }
+        };
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    mergeConfig(config) {
+        const defaults = this.defaultFunctionConfig;
+        const merged = { ...defaults, ...config };
+        const defaultEnv = this.defaultFunctionConfig.environment;
+        const configEnv = config.environment;
+        if (defaultEnv || configEnv) {
+            merged.environment = {
+                ...(defaultEnv ?? {}),
+                ...(configEnv ?? {})
+            };
+        }
+        return merged;
+    }
     /**
      * Create a Lambda function. Defaults `stage` and `serviceName` from the stack.
      *
@@ -2096,12 +2135,9 @@ class EmStack extends cdk.Stack {
      * - Overrides log group logical ID to `{prefix}LogGroup`
      * - Sets log group removal policy to RETAIN
      * - Uses the shared role unless `config.role` is provided
-     *
-     * This means existing Serverless stacks are migrated in-place — no manual
-     * logical ID overrides needed.
      */
     createFunction(id, config) {
-        const merged = { ...this.defaultFunctionConfig, ...config };
+        const merged = this.mergeConfig(config);
         const resolved = resolveHandlerPath(merged);
         const functionName = resolved.functionName;
         const handler = resolved.handler ?? merged.handler;
@@ -2148,7 +2184,7 @@ class EmStack extends cdk.Stack {
      * ```
      */
     createQueueConsumer(id, config) {
-        const merged = { ...this.defaultFunctionConfig, ...config };
+        const merged = this.mergeConfig(config);
         const { functionName } = resolveHandlerPath(merged);
         return new LambdaWithQueue(this, id, {
             ...merged,
@@ -2175,11 +2211,10 @@ class EmStack extends cdk.Stack {
     createScheduledFunction(id, config) {
         const { schedule, ruleName, ruleDescription, ...functionConfig } = config;
         const fn = this.createFunction(id, functionConfig);
-        const resolved = resolveHandlerPath({ ...this.defaultFunctionConfig, ...functionConfig });
         const rule = new EmEventBridgeRule(this, `${id}Rule`, {
             stage: config.stage ?? this.stage,
             serviceName: config.serviceName ?? this.serviceName,
-            ruleName: ruleName ?? resolved.functionName,
+            ruleName: ruleName ?? resolveHandlerPath(functionConfig).functionName,
             description: ruleDescription,
             schedule
         });
@@ -2202,6 +2237,68 @@ class EmStack extends cdk.Stack {
         const arn = `arn:${cdk.Aws.PARTITION}:sns:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:${this.stage}-alarm-email`;
         return awsSns.Topic.fromTopicArn(this, 'AlarmTopic', arn);
     }
+    /**
+     * Add a Lambda invoke policy to the shared role.
+     * @param functionPattern - Optional function name pattern. Defaults to `{stage}-{serviceName}-*`.
+     *   Pass `'*'` for account-wide access.
+     */
+    addLambdaInvokePolicy(functionPattern) {
+        this.requireSharedRole('addLambdaInvokePolicy');
+        const pattern = functionPattern ?? `${this.stage}-${this.serviceName}-*`;
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['lambda:InvokeFunction'],
+            resources: [
+                `arn:${cdk.Aws.PARTITION}:lambda:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:function:${pattern}`
+            ]
+        }));
+    }
+    /**
+     * Add a Kinesis PutRecord/PutRecords policy to the shared role.
+     * @param streamName - Short stream name (prefixed with `{stage}-`).
+     */
+    addKinesisPolicy(streamName) {
+        this.requireSharedRole('addKinesisPolicy');
+        const arn = `arn:${cdk.Aws.PARTITION}:kinesis:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:stream/${this.stage}-${streamName}`;
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['kinesis:PutRecord', 'kinesis:PutRecords'],
+            resources: [arn]
+        }));
+    }
+    /**
+     * Add an SNS Publish policy to the shared role.
+     * @param topicOrName - An ITopic reference, or a short topic name (prefixed with `{stage}-`).
+     */
+    addSnsPublishPolicy(topicOrName) {
+        this.requireSharedRole('addSnsPublishPolicy');
+        const arn = typeof topicOrName === 'string'
+            ? `arn:${cdk.Aws.PARTITION}:sns:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:${this.stage}-${topicOrName}`
+            : topicOrName.topicArn;
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['sns:Publish'],
+            resources: [arn]
+        }));
+    }
+    /**
+     * Add an SQS SendMessage policy to the shared role.
+     * @param queueName - Short queue name (prefixed with `{stage}-`).
+     */
+    addSqsSendPolicy(queueName) {
+        this.requireSharedRole('addSqsSendPolicy');
+        const arn = `arn:${cdk.Aws.PARTITION}:sqs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:${this.stage}-${queueName}`;
+        this.sharedRole.addToPolicy(new awsIam.PolicyStatement({
+            effect: awsIam.Effect.ALLOW,
+            actions: ['sqs:SendMessage', 'sqs:GetQueueAttributes', 'sqs:GetQueueUrl'],
+            resources: [arn]
+        }));
+    }
+    requireSharedRole(methodName) {
+        if (!this.sharedRole) {
+            throw new Error(`${methodName}() requires useSharedRole: true on the stack.`);
+        }
+    }
     /**
      * Create a CfnOutput with a stable export name.
      * Export pattern: `sls-{serviceName}-{stage}-{outputKey}`
@@ -2245,6 +2342,9 @@ function createRdsVpcConfig(scope, stage, config) {
     if (config.overrideLogicalIds?.ingress) {
         ingress.overrideLogicalId(config.overrideLogicalIds.ingress);
     }
+    if (config.sharedRole) {
+        config.sharedRole.addManagedPolicy(awsIam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'));
+    }
     return {
         vpc,
         vpcSubnets: { subnets: privateSubnets },